IBM’s Container Service: Container Security, Applied

Share this post:

Republished from the Integrated{code} blog

It’s no surprise to anyone that container security is still a hotly debated and discussed topic across the cloud ecosystem. Much of the debate hinges on an understanding that the full benefit of container technologies is only realized in a container native bare metal deployment, but many implementations are hindered from this by a “safety net” of understood and vetted VM technology. Everyone from developers to IT execs to operators and admins want to know that a true container native future for their cloud virtualization strategy is a “safe bet” that won’t come back to bite them (and their customers, data, critical business processes..) in the end.

To that end, you can easily find blog posts, tech journal write-ups, conference talks, and more recently, a couple highly detailed “best practice” documents on container security topics. As a personal point of reference, a container security talk I gave at Docker London in July received over 8000 views on slideshare in just a few weeks!

One recent addition to the pile of resources on this hot security topic was published recently by The New Stack, a popular site for tech journalism on cloud computing topics, not to mention a regular producer of podcasts, interviews, and pancakes too, in case you visit any popular industry conference these days. The New Stack invited Bryan Cantrill, Joyent’s CTO, recently to discuss the state of container security on a podcast titled “Security Must be a Top Priority with Container Deployments.”

I’ve always thoroughly enjoyed Bryan’s engaging style and his thoughts on containers and this podcast does not disappoint. However, at minute 16:00 Bryan stated:

Certainly there is no cloud offering today that allows for two different tenants to run in two different containers on the same host that are mutually untrusted.Bryan Cantrill, Chief Technology Officer at Joyent

This caught my attention because this model, based on the Linux kernel isolation primitives as a substrate, is exactly what IBM’s own container cloud as a service is built upon. We built our cloud container native bare metal because, while much of the industry is busy opining about container security problems, we see it as our mission to jump in and help fix them. Bluemix, therefore, is our flagship demonstration that a container native bare metal cloud can be built.

We believe that Linux kernel-based isolation, along with the layers of security capabilities offered by Docker and the Linux ecosystem, some of which was contributed by IBM, are capable of providing this multi-tenant isolation for bare metal containers as required by our customers. We agree there is still work to do, but we are successfully operating a managed containers-as-a-service offering using these components, with open source contributions from IBM including:

…and many bug fixes and configured environmental protections too numerous to list. These open source contributions are in addition to technologies we are developing and delivering via our Bluemix container offering such as:

…and more to come. That isn’t to say that we don’t understand the continued need for improvement and development of further security enhancements in the Linux substrate, but we believe and are committed to continuing contributions to this stack of open source layers which are providing a performant and secure isolation layer for what we all call “Linux containers”, and we are offering it as a service to our IBM Cloud customers via Bluemix.

We are also continuing to look at new technologies like the lightweight virtualization work at the OCI/runc layer, and even showed a proof-of-concept at DockerCon Seattle of one such pluggable-runc on our POWER platform with hardware assisted lightweight virtualization. We will continue delivering what we believe is of most value to our customers and provides them with a secure and appropriately isolated tenant environment based on Linux kernel container technologies.

If you haven’t had a chance to try our our Bluemix container cloud offering, note that you can easily get a free-tier 30-day trial account. The Docker client API is fully supported as well as container groups, private registry as noted above, as well as our entire catalog of cloud services, including logging, monitoring, public IP routing, and many other features.

And thanks, Bryan, for providing a launchpad for me to show off what IBM is achieving in the cloud today with our managed bare metal container cloud offering. Still highly respect your thoughts in this area, but I wanted to take the opportunity to say that one company has gone ahead and said “I’ll do it first!”

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Compute Services Stories

New London Regional Service for IBM Cloud Object Storage

IBM is pleased to announce the immediate availability of our new low cost, low latency Regional Service for IBM Cloud Object Storage, for the UK-London Region, now open for all customers to use worldwide. With this new regional resiliency service, customers now have the choice to store and access their data within the UK London region for in-country data sovereignty, business continuity and high availability with low cost and low latency.

Continue reading

Welcome to IBM Cloud for VMware Solutions 2.0

IBM Cloud for VMware Solutions 2.0: Enhanced Management Control and Performance for your Hybrid Cloud Environment Since the strategic partnership between VMware and IBM Cloud launched almost 2 years ago, enterprise clients around the world have realized the myriad benefits of integrating their on-premises data center environments with IBM Cloud. Businesses seeking security and control […]

Continue reading

Db2 on Cloud offsite disaster recovery node is now in closed beta

Today, Db2 on Cloud already has excellent availability characteristics, with a 99.99% SLA and the ability to scale your database without app downtime, unlike other competitors in the market.

Continue reading